July 19, 2022
The Honorable Frank Pallone
Chairman
Energy and Commerce Committee
U.S. House of Representatives
Washington, D.C. 20515
The Honorable Cathy McMorris-Rodgers
Ranking Member
Energy and Commerce Committee
U.S. House of Representatives
Washington, D.C. 20515
Re: Committee Markup of the Amendment in the Nature of a Substitute to the American Data Privacy and Protection Act (H.R. 8152)
Dear Chairman Pallone and Ranking Member McMorris Rodgers:
Our members are strong proponents of protecting consumer data and privacy and have done so for a very long time because protecting consumer financial data is a cornerstone of their business. Our members have been subject to extensive federal privacy and data protection laws and regulations for several decades. While we support privacy and security protections for consumer data for all companies, especially technology and other firms that are increasingly moving into financial services, we continue to have serious concerns about several provisions included in the American Data Privacy Protection Act (ADPPA) (H.R. 8152).
GLBA and Data Privacy
The primary privacy and data security consumer protection law for consumer financial data is Title V of the Gramm-Leach Bliley Act (GLBA). With the GLBA, Congress carefully constructed a privacy and data security regime to provide an effective and successful balance between strong consumer protections and ensuring that consumer financial transactions take place in a safe and secure environment. In particular, the current regime has been carefully structured to ensure compliance with existing laws and regulations, adherence to judicial process, and \ protection from fraud, illicit finance, money laundering and terrorist financing. Further, GLBA grants federal financial regulators with broad authority to adopt necessary regulations to enact these standards, thus allowing the regulatory regime to adapt over time as privacy concerns evolve.
Notably, the GLBA requires that financial institutions provide consumers with notice of their privacy practices and generally prohibits such institutions from disclosing financial and other consumer information to third parties without first providing consumers with an opportunity to opt out of such sharing.
It is clear that Congress has long recognized the importance of privacy for financial institutions and has put in place several meaningful frameworks that include strong privacy and data security protections that have been carefully balanced with commonsense exceptions to minimize disruptions to financial markets. While the financial services trade associations support legislation to put in place a national privacy standard, that standard must recognize the strong privacy and data security standards that are already in place for the financial sector under the GLBA and other financial privacy laws and avoid provisions that duplicate or are inconsistent with those laws.
As currently framed, the ADPPA does not include unambiguous language for financial institutions to understand their exemption from the requirements of the bill. This will lead to duplicative and conflicting requirements for financial institutions already subject to oversight by GLBA regulation. This framework will be disruptive to the financial system, consumers, and the economy. The ADPPA should be amended to broaden the provision to exempt all GLBA regulated institutions to avoid such disruption.